authentik for Cloudron

A Cloudron app package for authentik — an open-source identity provider focused on flexibility and versatility, supporting OAuth2/OIDC, SAML, LDAP, RADIUS, SCIM, and proxy authentication.

What is authentik?

authentik is a comprehensive identity provider and single sign-on (SSO) platform that centralizes user management across all your applications.

Supported Protocols

Protocol	Use Case
OAuth2 / OIDC	Modern web and mobile apps
SAML 2.0	Enterprise SSO integrations
LDAP	Legacy application directory
RADIUS	Network device authentication
SCIM	User provisioning and sync
Proxy	Protect apps without native SSO support

Key Features

• Single Sign-On — one login for all your applications
• Multi-Factor Authentication — TOTP, WebAuthn/FIDO2, SMS, Email OTP, static tokens
• Visual Flow Designer — customizable login, enrollment, and recovery flows
• User Self-Service — password resets, profile management, account recovery
• Directory Sync — sync users from Active Directory, LDAP, or SCIM sources
• Application Proxy — protect applications without native SSO support
• Branding — customizable themes and login pages per application

Cloudron Integration

This package runs authentik on Cloudron with:

• Automatic TLS — Cloudron handles HTTPS termination
• Automatic backups — persistent data at /app/data/ is backed up by Cloudron
• PostgreSQL addon — managed database provided by Cloudron
• Email addon — outbound email via Cloudron's mail system
• LDAP/LDAPS ports — exposed TCP ports for LDAP provider functionality
• Reverse proxy — Cloudron proxies HTTP traffic to authentik on port 9000

Addons Used

Addon	Purpose
localstorage	Persistent storage for media, certs, templates
postgresql	Database for users, flows, policies, events
sendmail	Outbound email for notifications and password resets

Exposed Ports

Port	Protocol	Purpose
9000	HTTP	Web UI and API (proxied by Cloudron)
3389	TCP	LDAP provider
6636	TCP	LDAPS provider (TLS)

Installation

Prerequisites

• A running Cloudron instance
• Cloudron CLI installed (npm install -g cloudron)
• Docker Desktop running and logged in
• A Docker Hub account

Quick Start

1. Clone this repository:

   git clone https://github.com/stalecontext/authentik-cloudron-app.git
   cd authentik-cloudron-app
   

2. Login to Cloudron:

   cloudron login
   

3. Run the install script:

   ./install.bat
   

   Follow the prompts to choose your subdomain (e.g. auth.example.com).

4. Create your admin account:

   • Visit https://your-subdomain/if/flow/initial-setup/ to complete first-time setup.

Updating

When you want to update to a newer version of authentik:

1. Bump the versions:

   • CloudronManifest.json → version and upstreamVersion
   • Dockerfile → ARG AK_VERSION=

2. Build and push:

   ./deploy.bat
   

3. Update the running app:

   ./update-cloudron.bat
   

Project Structure

authentik-cloudron-app/
├── CloudronManifest.json    # Cloudron app manifest
├── Dockerfile               # Multi-stage build (upstream image → Cloudron base)
├── start.sh                 # Container startup script
├── sv-server.sh             # runit service: authentik server (Go proxy + ASGI)
├── sv-worker.sh             # runit service: authentik worker (Dramatiq task queue)
├── DESCRIPTION.md           # App description for Cloudron dashboard
├── CHANGELOG.md             # Version history
├── deploy.bat               # Build & push Docker image to Docker Hub
├── update-cloudron.bat      # Update running Cloudron app
├── install.bat              # First-time install to Cloudron
├── configure-cloudron.bat   # One-time Docker Hub setup
├── cloudron-wrapper.bat     # Windows env wrapper for Cloudron CLI
└── logo.png                 # App icon

How It Works

The Dockerfile uses a multi-stage build:

1. Stage 1 — Pulls the official ghcr.io/goauthentik/server image
2. Stage 2 — Copies the Python runtime, Go binary, web frontend, and application code onto cloudron/base:5.0.0, installs runtime dependencies, and sets up symlinks for persistent storage

The start.sh script runs on every container start:

• Generates a secret key on first run
• Injects PostgreSQL, email, and app URL configuration from Cloudron environment variables
• Waits for the database and runs migrations
• Starts both server and worker processes via runit

Architecture

authentik runs two processes managed by runit:

• Server — Go reverse proxy + Python ASGI application serving the web UI and API
• Worker — Dramatiq task queue processing background jobs (email, sync, scheduled tasks)

Both use PostgreSQL for the database, caching, channel layers, and task queue (no Redis required).

Configuration

authentik is configured through its admin interface at /if/admin/. Key areas:

• Applications — Register apps for SSO (OAuth2, SAML, LDAP, Proxy, etc.)
• Flows — Customize login, enrollment, recovery, and authorization flows
• Directory — Manage users, groups, and directory sync sources
• System — Branding, certificates, outposts, and tenant settings

All persistent data (media, certificates, custom templates) is stored in /app/data/ and survives container restarts and Cloudron backups.

GeoIP (Optional)

To enable IP geolocation in event logs, place MaxMind GeoLite2 databases in the persistent storage:

• /app/data/geoip/GeoLite2-City.mmdb
• /app/data/geoip/GeoLite2-ASN.mmdb

Links

• authentik — goauthentik.io
• authentik Source — github.com/goauthentik/authentik
• authentik Docs — docs.goauthentik.io
• Cloudron Docs — docs.cloudron.io
• Docker Hub — hub.docker.com/r/stalecontext/authentik-cloudron

License

This Cloudron packaging is provided as-is. authentik itself is licensed under a custom source-available license.